9

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-23732

GHSA ID

GHSA-ff45-7prw-58vj

EPSS Score

0.73811%

CWE

CWE-78

Published

12/2/2021

Updated

2/1/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-23732

CVE-2021-23732:
OS Command injection in docker-cli-js

Withdrawn

After reviewing this CVE, and this response from the maintainer, we have withdrawn this advisory.

Original CVE description

This affects all versions of package docker-cli-js. If the command parameter of the Docker.command method can at least be partially controlled by a user, they will be in a position to execute any arbitrary OS commands on the host system.

(GitHub Advisory)

9

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-23732

GHSA ID

GHSA-ff45-7prw-58vj

EPSS Score

0.73811%

CWE

CWE-78

Published

12/2/2021

Updated

2/1/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
docker-cli-js	npm	<= 2.8.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the Docker.command method which accepts user-controlled input that gets executed as part of a system command. Multiple sources (CVE description, GitHub issue #22, and Snyk analysis) confirm that insufficient input sanitization in this method allows command injection. The maintainer's 'wontfix' response and withdrawn advisory don't contradict the technical vulnerability but rather indicate lack of patching. The function name is explicitly mentioned in all vulnerability descriptions as the injection vector.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

# Wit**r*wn **t*r r*vi*win* t*is *V*, *n* [t*is r*spons* *rom t** m*int*in*r](*ttps://*it*u*.*om/Quo*j**t/*o*k*r-*li-js/issu*s/**#issu**omm*nt-*********), w* **v* wit**r*wn t*is **visory. # Ori*in*l *V* **s*ription T*is *****ts *ll v*rsions o* p**

Reasoning

T** vuln*r**ility st*ms *rom t** `*o*k*r.*omm*n*` m*t*o* w*i** ****pts us*r-*ontroll** input t**t **ts *x**ut** *s p*rt o* * syst*m *omm*n*. Multipl* sour**s (*V* **s*ription, *it*u* issu* #**, *n* Snyk *n*lysis) *on*irm t**t insu**i*i*nt input s*nit

9

Basic Information

Concerned about an active attack path?

CVE-2021-23732: OS Command injection in docker-cli-js

Withdrawn

Original CVE description

9

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2021-23732:
OS Command injection in docker-cli-js

Vulnerability Intelligence
Miggo AI